HSM保護DNSSEC(Domain Name System Security Extensions)保護DNS資料

如何使用HSM協助DNSSEC (Domain Name System Security Extensions)保護DNS資料

The Domain Name Service (DNS) is the backbone of the Internet. It is a global address book for computers, and resolves Website addresses to specific IP addresses, enabling computers across the Internet to exchange information, such as Web pages and files.

However, DNS is vulnerable to attack. For example, an attacker can interfere with DNS responses, redirecting data to their own computers for malicious gain. The Domain Name Service Security Extension (DNSSEC) is an extension to DNS that addresses this problem. DNSSEC uses Public Key Infrastructure (PKI) techniques to validate the DNS lookup response and so maintain the integrity of the DNS address book.

For DNSSEC to function properly, it is essential that private keys, the Zone Signing Key and Key Signing Key, are protected. Typically, the DNS server stores these keys in software within the same DNS appliance. However, this provides only limited security. The only way to properly secure the private keys is to store them in a nCipher product line Hardware Security Module (HSM). Because the keys never leave the HSM, they are never exposed on the host computer and therefore not potentially available to an attacker. Moreover, the HSM is highly resistant to physical tampering.

This guide explains how to store private DNSSEC keys within an HSM, and how to integrate the HSM with the Internet Systems Consortium (ISC) BIND DNS server and OpenSSL. This guide does not give a detailed explanation of the protocol, but does provide references to sources that give a more in depth explanation of DNSSEC and BIND.

歡迎各大ISP業者及擁有NDS Server的大型企業或銀行來電索取這份資料: nCipher HSM integration guide for ISC BIND DNSSEC

請電 02-77294248